Cisco Support Community
Community Member

Slow command execution when ACS is not reachable


We recently deployed Cisco ACS for TACACS+.

During a test, we found out that when ACS is unreachable, the switch took at least 30secs to login and execute a command.

We have set server timeout at 2secs but doesn't help.

Anyone has the same experience?

Cisco ACS:




IOS: 15.0(2)SE4


IOS: 15.0(2)SE4


aaa group server tacacs+ TACACS-GROUP

     server-private xx.xx.xx.xx timeout 2 key xxxx



Everyone's tags (4)

Slow command execution when ACS is not reachable

EAP-TLS authentication fails if the:

Server fails to verify the client's certificate, and rejects EAP-TLS authentication.

Client fails to verify the server's certificate, and rejects EAP-TLS authentication.

Certificate validation fails if the:

Certificate has expired.

Server or client cannot find the certificate issuer.

Signature check failed.

The client dropped cases resulting in malformed EAP packets.

EAP-TLS also supports the Session Resume feature. ACS supports the EAP-TLS session resume feature for fast reauthentication of a user who has already passed full EAP-TLS authentication. If the EAP-TLS configuration includes a session timeout period, ACS caches each TLS session for the duration of the timeout period.

When a user reconnects within the configured EAP-TLS session timeout period, ACS resumes the EAP-TLS session and reauthenticates the user with TLS handshake only, without a certificate check.

ACS 5.4 supports EAP-TLS session resumption without session state to be stored at the server. It also supports session ticket extension as described in RFC 5077. The ACS server creates a ticket and sends it to an EAP-TLS client. The client presents the ticket to ACS to resume a session.

The Stateless session resumption is supported in the distributed deployment, so that a session ticket issued by one node is accepted by another node.

The entire ticket is authenticated over its fields using a MAC with a 128-bit authentication key. The fields are encrypted using AES-CBC with a 128-bit encryption key and IV that are found in the ticket. The ACS administrator configures a limited lifetime for the session ticket.

Community Member

Slow command execution when ACS is not reachable

Work around:

remove timeout command on tacacs server

apply global timeout command

tacacs-server timeout 2

CreatePlease to create content